Corporate computer systems often store confidential internal and customer information. As a result, they are frequently targeted for attacks by directed attackers (also called “hackers” or “crackers”) who wish to use the confidential information for unlawful purposes. In fact, for many businesses, the increasing threat of the exposure of confidential information in networked computer systems represents the largest area of concern for financial loss, especially when customer credit card or banking details may be exposed. Total losses in 2005 due to the theft of confidential information from computer systems are estimated to be $30 million.
A directed attacker attempts to penetrate a specific target computer system by discovering and exploiting weaknesses that make the particular computer system vulnerable. One technique for doing this is called network fingerprinting. A packet of data transmitted from a networked computer system typically contains information in a set of protocol header fields corresponding to its particular protocol stack (e.g., Transmission Control Protocol (TCP) and Internet Protocol (IP)). Unfortunately, the content of many of these protocol header fields may reveal configuration information about the sending computer system. Using network fingerprinting techniques, a directed attacker may analyze the revealing content elements in the protocol header fields in order to determine a computer system's operating system, software applications, equipment manufacturers, protocol header vendors, and other detailed system information. For example, a computer system's operating system (e.g., Microsoft Windows®, Linux®, Mac OS®, etc.) can usually be accurately determined by examining the content of fewer than nine different TCP/IP protocol header fields. Once determined, the attacker leverages any detected vulnerabilities in order penetrate the targeted computer system's security features. After gaining access to the target computer system, the attacker then steals and/or destroys information, depending on the attacker's motives. The attacker may also install “backdoors” such as Trojans or rootkits to bypass security patches or improved security mechanisms that may be implemented in the future. Such backdoors are typically very hard to detect and to eliminate.
A popular network fingerprinting tool is Nmap, presently available without cost as open-source software from Insecure.org. Nmap tests a target computer system by sending a series of TCP and User Datagram Protocol (UDP) data packets to the target computer system and examining the responses that it receives. After performing dozens of such tests, Nmap compares the results to its database of more than 1,500 known operating system fingerprints and displays the operating system details if there is a match.
In addition to, or as an alternative to the above-described network fingerprinting, a directed attacker may attempt to discover configuration information about a target computer system by simply trying to access a target system through its available communication applications. These communication applications will often implement communication protocols such as the Teletype Network Protocol (TELNET), the File Transfer Protocol (FTP), and the Simple Mail Transfer Protocol (SMTP). Frequently, these communication applications display a banner (or response header) on their login and exit screens, as well and on other screens (e.g., screens indicating that the maximum number of connections has been reached). As in the case of protocol header fields, the content of these banners may reveal operating system and version information in addition to other information that can be exploited by a determined directed attacker. This additional or alternative discovery technique is sometime called “banner grabbing.”
There are, of course, several existing techniques for securing networked computer systems. Nevertheless, although these techniques have some success in stopping mass attacks (i.e., attacks that are not directed at a particular computer system), they are typically not adequate to prevent directed attacks by sophisticated attackers or attacks involving previously unknown vulnerabilities (e.g., vulnerabilities that have not yet been patched). Network firewalls, anti-virus software, and intruder detection systems, for example, attempt to discover malicious content in data packets sent to and from a computer system and to restrict network users to legitimate users and systems. Even so, however, these conventional techniques continue to allow packets without malicious content to be transmitted from a networked computer system with information that can be exploited by directed attackers using network fingerprinting. In addition, these conventional techniques do not typically determine the content that a communication application provides via its banners. Sensitive confidential data, as a result, continues to remain potentially exposed.
For these reasons, a need exists for additional techniques and apparatus for reducing the vulnerability of networked computer systems to directed attacks.